Since July 1st, some California consumers have eagerly begun enforcing their newly created privacy rights through class-action lawsuits aimed at companies consumers believe to have mishandled their data.
Just last week, a consumer sued Walmart, alleging a lack of necessary security standards to protect the consumer’s credit card data during a recent security breach – the consumer’s data is now being sold on the dark web. That suit is not unique; businesses should take every precaution to avoid this type of liability.
A brief background on the CCPA
The California state legislature passed the California Consumer Protections Act (CCPA) in 2018, which – among many other things – provided consumers a private right of action in instances where a company does not take reasonable security measures to protect its consumers’ data.
Part of reasonable security measures includes providing consumers with the right to opt-out of a company’s data selling practices. In short, if a customer opts out of your company’s data practices, then it is your responsibility to ensure their data is not impermissibly shared with third-parties. For more about the CCPA’s opt-out requirement, see our previous blog post here.
The CCPA was set to take effect this January; however, enforcement was delayed until July 1. During that gap period, last March, the California AG’s Office promulgated CCPA regulations to clarify the Act’s enforcement. While the regulations are still in the revisions process, the state’s AG announced enforcement would move forward despite the pandemic.
But my company doesn’t sell customer data, am I still subject to the CCPA?
It could be. A company can still be considered selling customer data, even if that company never sees that data.
If a company’s website uses some type of ad-tech service, the site becomes a conduit for consumer data transfers. Under the CCPA, if a business transfers data to third parties without any use restriction, that is considered selling consumer data. The Act, however, provides an exception for service providers, which the CCPA defines as an entity that strictly uses the consumer data for the business’s own benefit.
Ad-tech giants, like Facebook and Google, have created specific features that – when enabled – transform their third-party status to a “service provider” under the CCPA. That means they limit their data-sharing practices for certain users. As CCPA enforcement is in full swing, businesses that are subject to the Act should ensure they have enabled these features ASAP.
For more information on whether a company is subject to the CCPA, see our previous blog post here.
Facebook’s LDU is automatically enabled until July 31st
Facebook recently announced its new Limited Data Use (LDU) feature that would detect if a user is a California resident and then limit the way that user’s data is processed and stored. This feature is designed to ensure Facebook complies with its role as a “data processor” under the CCPA for those users who opt-out of a company’s data practices.
The LDU feature is automatically enabled during the “transition period,” which ends July 31, but after that Facebook advertisers will need to update their Pixel to include a string for ‘dataProcessingOptions.’ That string allows advertisers to either (1) control if the advertiser is identifying a user in California or (2) opt for Facebook to automatically detect if the user is in California. Once identified, advertisers can opt to enable the LDU feature in all page view instances for those identified users who have opted out of the advertiser’s data-tracking practices.
The down-side of that process is that it will likely result in limiting the effectiveness of Facebook remarketing campaigns because it has the potential to effectively exclude all California residents from marketing campaigns. Because the LDU is currently enabled, many companies will likely see a decline in the effectiveness of their remarketing campaigns.
If a business does not enable the LDU feature by July 31, it is taking the sole responsibility of CCPA data protections – and likely will not be in compliance with the Act.
Businesses should also enable Google’s RDP ASAP
Last November, Google developed a concept called “restricted data processing” (RDP) – akin to the IAB’s compliance framework.
If a business used a service with the enabled RDP, then Google would act as a CCPA service provider and would not share the consumers’ data with third parties except for certain business purposes (i.e. ad delivery, reporting, measurement, security, fraud detection, and debugging).
Businesses can disable personalized ad serving and limit how data is processed through services like Google Ads, App Campaigns, and Google Analytics. Depending on the service, Google advertisers can choose to enable RDP on a per-user-basis (i.e. a user selects the “Do Not Sell My Personal Information” button on a company’s website). For some products, advertisers may enable RDP for all users in California. Google’s AdSense even has a per-request RDP setting to comply with CCPA restrictions.
If it hasn’t already done so, businesses should enable these RDP features for Google products and services to ensure CCPA compliance – and there’s no time like the present.
For additional information or guidance on how best to comply with CCPA, including an opt-out and privacy policy, or to sign-up for our newsletter as we publish ongoing CCPA updates, please contact us.
